Hi-Jackthis *Updated* Log.

[James19]

Alright I updated Hi-Jack this. but it looks the same in terms of whats there.

Logfile of HijackThis v1.97.2
Scan saved at 1:10:30 PM, on 9/12/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wins\DLLHOST.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\EarthLink 5.0\ConMgr.exe
C:\Program Files\EarthLink 5.0\Browser.exe
C:\WINDOWS\System32\wins\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\EarthLink 5.0\FastLane\ARUpld32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\My Documents\Hi-Jackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = file://C:/HP/REGION/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:/HP/REGION/start.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = file://C:/HP/REGION/start.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - Startup: Registration-Studio 7SE.lnk = C:\Program Files\Pinnacle\Studio\Register\RegTool.exe
O4 - Global Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://web.webchat.org/java/cr.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://cameras.thibault.com/activex/AxisCamControl.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A861F39-AB8D-4A94-8D2C-2B96F8AA12BC}: NameServer = 207.69.188.186 207.69.188.187

 

[OlTramp]

Hi James,
You have MSBLAST D., here-
C:\WINDOWS\System32\wins\svchost.exe
C:\WINDOWS\System32\wins\DLLHOST.EXE
I don't know how to repair it but you should find the info you want here-
http://www.pchell.com/virus/welchia.shtml
Please respond back to this thread and let me know how it goes.
You can do a free virus scan at one of these sites.
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.wilders.org/free_services.htm
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

 

[buckaroo]

You can go here for a Blaster removal tool:

http://securityresponse.symantec.com/avcenter/venc/data/w32.blaster.worm.removal.tool.html


Also, you can have HJT remove this item:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


...close your browser, check the itme in HJT and click Fix. Reboot afterwards.

 

[James19]

Thank you so much!

It was indeed the msblast d variant.

I followed the instructions,downloaded the patchs and deleted the files. I have now rebooted twice. Just to make sure they didn't copy to any other directories.

My computer run's like it's brand new. Pages only take a few second's to loadup.

 

[OlTramp]

Glad to hear it and glad we could help.